GUIDE

Backup Encryption: Everything you Need to Know

When you choose an online backup service, it makes sense to consider how your provider deals with backup encryption. This will ensure your data is kept private, and safe from prying eyes.

If you check out our backup reviews, you’ll notice that we always spend some time finding out the finer details of what all the providers do in terms of backup encryption when we check out their services. The purpose of this article is to explain what all the terminology means, to help you make an informed decision about the kind of backup encryption you want and need.

Backup Encryption: The Basics

Almost all online backup providers perform at least some form of encryption on your data. This is primarily so it’s safe from interception while you upload it.

At a very minimal level, this means your data is encrypted during data transfer. However, there’s much more to backup encryption that this. What you really need to find out, if you care about security, is what happens to your stored data in terms of encryption, and also whether your data is encrypted before it even leaves your computer.

Let’s start there then, with the “gold standard” for backup encryption known as “end-to-end encryption.”

End-to-end backup encryption

If a provider uses end-to-end encryption, the backup software encrypts the data you wish to backup before it even leaves your computer and begins its electronic journey to your provider’s servers. Once there, it remains encrypted. Providers that use this kind of secure backup encryption include Backblaze, iDrive and CrashPlan.

It’s even possible to go one step further than this with a zero-knowledge backup provider such as SpiderOak. Zero-knowledge providers use end-to-end encryption and don’t even hold the encryption keys to decrypt the data you store on their servers. Even if the NSA turned up at their data center with a warrant, they wouldn’t be able to get to your data without the credentials that only you know.

Depending on your own stance on privacy that may all seem a little “cloak and dagger,” but it’s a good way to illustrate the ultimate in backup encryption. Zero-knowledge backup may not appeal to you if you’re someone with a tendency to lose passwords, as not even the provider’s staff will be able to get you into your data if you lock yourself out of it!

So, stepping down to the next rung of the ladder, we have end-to-end encryption but without the zero-knowledge element. This is still very secure, but generally means that the provider (and some of its staff) could see your data if it chose to. Obviously this highlights the need to choose a trustworthy provider (and our reviews can help with that), but this is a good middle ground between privacy and usability.

Online backup vs. cloud storage

As we step further down that ladder, we lose more and more in terms of privacy. Without end-to-end encryption, data is encrypted during transit but not before, increasing the potential for data to be intercepted by some kind of “man in the middle” hack.

Then at the other end, you can have data that’s stored in unencrypted form once it’s completed its journey.

At this juncture, it makes sense to emphasise the difference between online backup services and cloud storage.

Although boundaries are often blurred between these services, cloud storage services such as Google Drive and Dropbox are more about storage and collaboration than traditional backup services, which are about keeping a safe and secure copy of your data.

These cloud storage services are also largely at the bottom of the pile when it comes to backup encryption. Although there is some level of “at rest” encryption in place with most services, these are far removed from the zero-knowledge backup services described above – and as news stories prove, data breaches do sometimes occur.

DIY Backup Encryption

If you wish to take backup encryption “into your own hands” there is another option open to you. You can encrypt your data yourself before you send it up to your chosen backup or cloud service provider.

This means, for example, that you could make use of the collaborative sharing powers of something like Dropbox, but also store some self-encrypted files on your account.

Use VeraCrypt to create an encrypted “container” in which to store all the files you wish to keep private. This container takes the same form as any other file on your computer, but is fully encrypted and garbled without your encryption keys.

Upload this file to your chosen backup or cloud storage service, resulting in a backed-up copy of all of your secret files, which cannot be accessed without your credentials, even if the file is intercepted at any point.

A note on backup disk encryption

If you create local backups using something like Apple’s Time Machine or the Backup and Restore functionality built into Microsoft Windows, these backups are not encrypted by default. Therefore, if someone steals a backup drive from your home or your bag, your data is easily accessible.

You have various options here; Adding encryption to Time Machine backups is a simple question of checking a tickbox on a Mac. It’s similarly simple with Windows, but only if you have an “Ulimate” version of the operating system (or “Professional” in the case of Windows 10).

Another option for you is to use VeraCrypt or similar, as described above, to handle backup disk encryption. The key point is not to invest loads of time in ensuring maximum privacy and security for your online backup, only to leave an unencrypted backup drive next to your computer as easy pickings for a thief!

Backup Encryption: Conclusion

Hopefully, this explanatory article has given you the information you need to make the right decisions about backup encryption.

Some people won’t feel the need for zero-knowledge backup; Others will be prepared to sacrifice end-to-end encryption for the convenience of Dropbox; Many will fall somewhere in the middle.

Now you know what the terminiology all means, our online backup reviews would be the ideal next port of call to find a service that fits your requirements perfectly.

Written by Ben TaylorBen was a geek long before "geek chic," learning the ropes on BBC Micros, before moving on to Atari STs and IBM compatibles. He was "online" using a 1200bps modem before the Internet was even a thing. Now, after two decades in the industry, he writes about technology for various publications, operates a few websites of his own, and runs a bespoke IT consultancy based in London.